PVE4 - VM Firewalls not working

[nedry]

I've got a clean install of Proxmox 4 with a newly created lxc container. I enabled the firewall for the datacenter and the node. I see the the expected rules when I run iptables-save.

Next, as a test, I enabled the container's firewall and added two rules, one to DROP POP3 and the other to REJECT IMAP. When I view the rules using iptables-save, no rules have been added for POP3 or IMAP. Also, pve-firewall simulate shows that the rules are not working.

What am I missing?

# cat 100.fw:

[OPTIONS]
enable: 1
[RULES]
IN POP3(DROP) -i net0
IN IMAP(REJECT) -i net0

# cat cluster.fw:

[OPTIONS]
enable: 1

# pve-firewall simulate -to ct100 -dport 143

Test packet:
  from    : outside
  to      : ct100
  proto   : tcp
  dport   : 143
ACTION: ACCEPT

# pve-firewall simulate -to ct100 -dport 110

Test packet:
  from    : outside
  to      : ct100
  proto   : tcp
  dport   : 110
ACTION: ACCEPT

 

[dietmar]

Seems you have not enabled the firewall flag on the network interface (net0).

 

[nedry]

Thank you for that information, Dietmar. That worked. FWIW, I could only enable the firewall flag on the network interface while the VM was shutdown.

I can see that the firewall configurations for the DC and VM are stored in cluster.fw and 100.fw, respectively. Where is the configuration for the host and network interface stored?

 

[dietmar]

I can see that the firewall configurations for the DC and VM are stored in cluster.fw and 100.fw, respectively. Where is the configuration for the host and network interface stored?

host firewall is stored at:

/etc/pve/nodes/<nodename>/host.fw

network interface firewall flag is inside VM config.